My NYSBA

Blogs

CLE

Sections / Committees

Health Law
	Join This Section
	Health Law Journal
	Health Law Section Listserve
	Publications Download
	Health Laws, Regs and Opinions
	Section Bylaws
	Committees
	Discussion Related Materials
	Consumer Pamphlet
	Deficit Reduction Act of 2005 (New Medicaid Eligibility)
	Pro Bono Opportunities
	Helpful Links
	Site Map

JOIN / RENEW

SITE MAP

THE NEW YORK
BAR FOUNDATION

Discussion Related Materials

Electronic Transmission, Security

&

Privacy Regulations Update

As many of you already know, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") requires the health care industry to take extensive and costly measures to simplify and secure the electronic transmission of medical information, as well as protect the confidentiality of such information.

As has been reported in the newspapers and network news shows, the final privacy regulations for HIPAA, one of the three main parts of this regulatory scheme, were released by the President on December 20, 2000. They are over 1500 pages long. They are substantially different than the rules proposed in November, 1999.

While it is likely that the Bush Administration will revise the regulations, at this time it is expected that one must be fully compliant with these regulations by April 2003.

MAIN POINTS

In contrast to the proposed rules, the final regulations will:

* Protect all personal health information (oral, written and electronic) that is created or held by covered entities (providers, insurers, and health care clearinghouses).

* Require written consent for routine disclosure of medical information in addition, to special patient authorization for non-routine disclosure.

In addition, the final regulations require that:

* Each patient, upon request, receive a disclosure history, including to whom and why information has been disclosed.

* Patients have a right to access, copy and amend their records. (New York currently has access and copy rules.)

* Employers may not obtain health information of employees or prospective employees without authorizations.

* Privacy conscious business practices be established and internal controls be placed in every element of a "covered entities" business including: designation of a privacy officer, employee training, compliant handling and contracting with business partners.

PRIVACY REGULATIONS MAY NOT BE COMPLETE

Three issues of major concern:

* The final regulations DO NOT preempt more stringent state privacy laws. Compliance for companies doing interstate business is incrementally more expensive and difficult. This issue prevented Congress from reaching closure last time.

* Congress may act to modify these regulations through statute.

* Many potential subcontractors are not covered directly by the new regulations. Their privacy obligations are regulated through their contracts with "covered entities." A covered entity may be obligated to terminate a contract if it knows that its subcontractor, known as a "business associate," is violating the privacy rules. Congress could act to extend the regulations to such business associates.

Note: Your due diligence of potential subcontractors must consider their privacy capabilities.

The Department of Health and Human Services estimates it will cost $5.8 billion for hospitals to become HIPAA compliant. Other estimates have been significantly higher. Significant civil and criminal penalties may be levied against those who fail to comply or improperly use information. Please note that these costs do not address the cost to the rest of the health care industry.